Bug 1830283

Summary: [OVN][RFE] Enhance port group support to allow matching on port group ID
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Dumitru Ceara <dceara>
Component: OVNAssignee: OVN Team <ovnteam>
Status: NEW --- QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: medium    
Version: FDP 20.CCC: ctrautma
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dumitru Ceara 2020-05-01 13:34:57 UTC 
Description of problem:

Enhance OVN to support match expressions of the form "get_group_id(PG)" where PG is a PortGroup that has been configured with an additional (new) option "use_group_id_metadata".

Also add support for match expressions of the form "src_group_id".

get_group_id(PG): is a function that can be translated to an ID that maps to PG in the Southbound DB.

src_group_id is always populated in a register (in tunnel header as well when sending to remote), if the src port belongs to a group that has "use_group_id_metadata" = True.

This will allow CMSs to simplify their network policies and will also generate less openflow rules when used in ACLs such as:

match = "outport == @pg_B && src_group_id == get_group_id(pg_A)"
action = "allow"/"drop"/etc

Limitations:
A logical switch port can only be part of at most one Port_Group that has "use_group_id_metadata"=True.

Additional info:

https://mail.openvswitch.org/pipermail/ovs-discuss/2020-April/049888.html
https://mail.openvswitch.org/pipermail/ovs-discuss/2020-April/049932.html